Posted
by
Soulskill
on Monday September 13, 2010 @03:34PM
from the damage-control dept.

CWmike writes "Microsoft has urged Windows users to block ongoing attacks against Adobe's popular PDF viewer by deploying one of Microsoft's enterprise tools. Adobe echoed Microsoft's advice, saying the Enhanced Migration Experience Toolkit (EMET) would stymie attacks targeting Reader and Acrobat. Called 'scary' and 'clever,' the in-the-wild exploit went public last week when security researcher Mila Parkour reported it to Adobe after analyzing a rogue PDF document attached to spam. Adobe first warned users Wednesday of the threat, but at the time gave users no advice on how to protect themselves until a patch was ready. Microsoft stepped in on Friday. 'The good news is that if you have EMET enabled ... it blocks this exploit,' said Fermin Serna and Andrew Roths, two engineers with the Microsoft Security Response Center in an entry on the group's blog."
A Symantec blog post suggests the people exploiting this vulnerability may be the 'Aurora' group responsible for the attacks on Google late last year.

What does it say about your company when another company has to clean up your mess while you stand around, thumb up ass, not appearing to be doing anything meaningful?

This has nothing to do about MS being good or evil. They've got a solution to the problem and it's much welcomed. Hopefully Adobe gets this fixed shortly so that people who can't make use of Microsoft's solution don't have to worry about the vulnerability either.

It's called cooperation. I don't get this kind of reaction; how do you "appear" to be doing "anything meaningful"? Is it not better to actually be working on a fix, than to appear to be working on a fix?

I don't see how this turns into "someone else cleaning up your mess while you stand around, thumb up ass." Any security fix takes time -- the question is how fast should the response be? If your argument that 3 weeks is too long, that would certainly be a valid opinion. (Adobe's bulletin notes they a

I wonder if this was M$ who thought up another way to exclude all non legit copies to NOT get the much needed fix.Sure just pay money to get a legit copy, or move to linux to avoid paying for an OS...I am sure there are many out there who would appreciate M$ offering free updates EVEN FOR NON LEGIT copies, as this would definitely make me rethink my M$ is evil methodology, however, it would also lend a much needed hand at securing more of the internet that is still vulnerable and responsible for most spam t

Look, naming conventions change over time and I'm not so sure it ever meant what you seem to think it meant anyway. In this context "0 day" means there are no known fixes for the problem. In other words it has been 0 days since a fix was released.

Look, naming conventions change over time and I'm not so sure it ever meant what you seem to think it meant anyway. In this context "0 day" means there are no known fixes for the problem. In other words it has been 0 days since a fix was released.

It did mean that, at one time. Zero-day meant that it was still unpublished... still secret. You had an exploit that was going to work because "nobody" knew about it. That is, nobody but you and others who had elite access to the BBS' filez. Now the industry has shifted the term to mean that the vulnerability is unpatched. Which, I suppose, has a lot of the same general meaning. Although I think it's lost a lot of the edge; big difference between unpatched and (relatively) unknown.

Well, just like standard language, words become twisted and used wrongly enough that they become common use, then over x time, standard use. How many people have you heard use the word "ignorant" to mean "asshole"? Or "ironic" to mean "coincidental"?

I mean hell, in the IT world, a couple of examples are "megabyte" which somehow now means 1000^2 bytes now, instead of the 1024^2 that it has meant forever (or as long as I have been alive). "Alpha" software used to be "still in design phase" and Beta used to m

I mean hell, in the IT world, a couple of examples are "megabyte" which somehow now means 1000^2 bytes now, instead of the 1024^2 that it has meant forever (or as long as I have been alive).

It still means what it used to meant, unless you're a drive maker. They did get a committee to muddle the water in order to avoid lawsuits, but that doesn't change the meaning of a term that's well-established for sixty years.

The few places that do use it do have bad effects. In facts, "MiB" for most IT professionals who haven't heard of that committee's revelations sounds like "millions of bytes", bringing confusion. Plain old "MB" doesn't have that flaw as long as drive labelling is not concerned.

The _telco_ world was never one of the 1024 users. Telecomms is all based around the old bitrates of the telephone systems, which were always multiples of 1000 bits per second:Historically, audio telephony had a sampling frequency 8 kHz.

Reads like Parkour reported an exploit being used actively in the wild to Adobe, to me. Which would make the sequence of events (1), (2), and this a zero day exploit. Silly term in any case, the relevant terms are, imo, "fixed" and "ongoing."

Seriously, Foxit is the way to go unless you have a reason. If you can't think of one, then yo don't have one:). There are things Foxit doesn't do or documents it has problems with but for normal users it is exceedingly unlikely you encounter it. The thing is much lighter weight and seems to have few security issues. Maybe it is just because nobody is looking, but regardless.

I was so glad when I found it for rolling out in our instructional labs. I got sick of having to do an update for Acrobat ever

I installed Foxit, and every time I clicked a PDF link in FireFox, the disk would churn for 5 minutes and everything else running in the browser would come to a halt. It made Acrobat Reader fleet-footed by comparison.

Sumatra [kowalczyk.info] is my PDF reader of choice now. The program consists of a single executable, it's open source and GPL'ed. As long as you all you need to do is load and read PDFs (imagine that, a PDF reader that just reads PDFs), it gets the job done beautifully.

Yes.It wants to install the Foxit Search Bar powered by Ask (opt-out)It wants to set ask.com as your home page (also opt-out)

I just downloaded the most recent zipped version for Windows last night, and it didn't even need an installer.

Right. That's hardly how most people install the software.

Past versions that I've used the installer version of, had a rather obvious checkbox that you could use to opt out of installing a toolbar.

Oh, so you know all about the toolbar crap, and you are just being disingenuous. Classy.

Bottom line this sort of behaviour is skirting the border of being malware. What percentage of users appreciate another toolbar being crammed into their browser? What percentage of users appreciate their home page being changed? When both are pretty close to zero, you don't make it OPT-OUT in your installation wizard. Its especially obnoxious when users have to keep opting out each time they install an update.

Having an opt out toolbar or home page change as part of the default install is obnoxious enough for me to avoid recommending foxit. Too many people will end up with them and none of them will appreciate it.

I said this in the original article on/. for this exploit, but I'll post it again. I use the portable version of Sumatra PDF [portableapps.com] on my Windows installation and have never had any problems while using it. I would certainly recommend it to people who do not like Foxit as a replacement for Acrobat.

Well let the old Hairyfeet add some helpful wisdom to those out here that have clueless relatives. Tell them to uninstall Adobe, then send them to Ninite [ninite.com] and tell them which boxes to check. Ninite has fully automated installers for all the popular apps, including FF and Chrome, Songbird and Winamp, and of course Foxit and Sumatra PDF reader. Oh and ZERO toolbars from those companies that give you crap like Oracle Java.

So trust your old pal Hairyfeet. You got clueless user/relatives, maybe that live many m

I highly doubt home consumers (i.e. your grandmother) are going to install this enterprise application in order to solve a "0 day" exploit for Adobe. I mean, really? Can a normal person even read the previous sentence I just wrote?

Maybe they should work harder at patching it then finding workarounds, or just tell us the truth (don't open any PDFs, or use foxit).

At this point, Adobe Reader is so stupidly bloated that I'll frankly be disappointed if Reader 10 doesn't launch a virtualised instance of Windows inside which another copy of Reader is used to actually render the PDF.

Every time a news article says there's a flaw in Acrobat Reader and that everyone is vulnerable, it reinforces the idea that everyone uses Acrobat and there is no other option.

No such thing as bad publicity, bandwagon propaganda, and all that. They might as well put flaws in on purpose for the free monthly advertising. All it takes is a tiny portion of flaws to appear in Foxit, which does happen sometimes, and Adobe gets to claim that no reader is flaw-free.

You know, Foxit does this. It enables 'secure reading mode' when you open a PDF from the browser. Adobe should copy this feature, but instead they keep talking about a complex sandboxing scheme for their app.

I'd rather they put in a mode like this, but they won't. Why? Because all those features it disables have been engineered by Adobe and as such they have performed a defacto extension of the PDF spec. Disabling this feature is admission that Adobe is incompetent and that people can live without js/flas

Yeah, its getting better everytime. The other day I opened a pdf used for service inscription, I was amazed to see that evince displayed embedded form widgets like input boxes, dropdown menus etc.. It was slick!

TBH I prefer to be lagging in functionality and have security than the other way around - but that is just me!

Great, so EMET will be downloaded by a few developers and IT experts and their system will work fine. However, develop and deploy this beta application to run on the thousands of end user workstations on a corporate network? I'm sure between the unintended system slow down from YET ANOTHER APPLICATIOn combined with users wondering what this new icon is doing ought to be seemless.
Too bad FoxIt and others don't provide a nagware free product that's an enterprise solution.
Maybe Adobe will start roping ba

Why doesn't Microsoft make EMET part of Windows Defender, and auto-update the settings for various applications/DLLs (like the way they update compatibility-mode settings for websites in IE8)? They could have prevented this exploit on day 1.

Much though I wish this was a complete solution, there are two possible problems with it.

The first is that ASLR is only available on NT 6.x (Vista, 7, Server 2008). People using XP are out in the cold, which they arguably deserve for using such an outdated OS, but the rest of us don't deserve the collateral damage their rooted boxes will spew (for bonus points, XP has no form of browser sandboxing and the default user has Administrative permissions, making it the most likely to be successfully exploited in

Yeah, that word threw me for a bit. On one hand, I was scared because I didn't want to know what Microsoft wanted to Migrate users to... on the other hand, it could have been a Windows to Linux migration tool... okay, probably not that but I have to pull some optimism from somewhere.

My personal system uses PDF Xchange Viewer. But on another that has Acrobat Reader 8.x installed, I'm not able to find the dll in question. I never upgraded to 9.x on that system due to bloat but guess new features will come with bugs/vulnerabilities.